The reason is that the comments aren't removed when looking forward so any checks forwards will fail when the comments are removed putting JSReg in a different state than the browser how you and lever one cleverly highlighted :D

Thanks very much for this awesome work!
Should be fixed now, the <!-- comment parser was out by one =) it didn't move the position at the end of the comment. I added "this" to the left check and put back the inline comment check in the output.

Artificial insertion (in this case ";") can be used for difference between the obj. literal and block:
insertion --> check syntax -->
A) if syntax error --> this is a obj. literal
B) if still valid syntax --> this is a block

The result is returned without the artificial insertion.
The advantage is not to modify the code structure.

for(;{}/i/i;)break; // for(;function(){}/i/i;)break; <-- still incorrect // The artificial insertion can be used also to check if this is a function or func. expression (whether there is reference to the function).

1. Insertion should be done always before the "function" (if it comes to the function or f. expression) or before the opening bracket "{" (if it is about a block or object).
2. To check the syntax when you insert has to be taken all the code and not part of it. Is it possible?

Sorry for the delay, I took some time to think about this. I've decided to enforce functions by using a semi-colon at the beginning and the end.

So for example :-
function x(){}

becomes:-
;function x(){};

Function expressions are modified with parens

so:
1,function x(){}

becomes:
1,(function x(){})

Which should enforce expressions without breaking anything. This way the syntax will break but should not result in a sandbox escape. I can then fix the syntax errors once the vector has been eliminated.

Syntax checking is hard and although it was a really nice idea I'm not sure it will be possible since it would require me to backtrack the code or look forward and parse multiple times. Patterns such as:-
(function(){

})();

Will always result in a syntax error unless the whole code is checked each time, I could store various locations where I placed a semi-colon and remove them before the final eval but it would be too slow IMO.

Nice! I couldn't see the bug myself as the latest version of Safari doesn't seem to allow it. But I fixed it by inserting a semi-colon after a regex if a function follows. I've also improved the eos insertion and spaces insertion to be slightly more clever how they're inserted. Thanks! I keep hoping after every fix you won't be able to break it yet you still do :D

Whoa that one was amazing, I didn't know how to fix it but since the eos insertion was working and this relies on the browser state being different than the jsreg state, so I thought when the comments are stripped force a space after the detected regex if a "/" is detected after so that there is no confusion between the two.

Man, so I close up hiding it in a comment and then you hide it in a regex lol you're good. I track the starting square position, then when the ending square occurs I gather the contents of the object accessor and see if the syntax is valid. If the syntax isn't valid then an attack is occurring since you've managed to inject a uneven ")". If you can somehow inject a valid syntax looking object accessor but still break out of the paren then you'll break it again.